Gonna vent... but corporate wireless needs to be just that. Corporate devices only. No outsiders. If it's a BYOD device, it needs to be managed by an MDM.
EAP-TLS means the fewest headaches with security. PEAP with MS-CHAP means employees can add all their devices with a username and password. EAP-TLS means only devices with a company cert get on.
Outside vendors need access? Options should be either to use a corporate laptop or a VDI session or an AWS Workstation. If those don't work, consider an SSH gateway that contractors can make a secure login to and then access the internal network via a recorded SSH session.
Guest wireless is everybody else. Never should any of it touch the internal network. I won't mention names, but there's more than one company out there where I was able to join the guest wireless network and then directly access everything in the datacenter. No access to the employee subnets, ironically, but full access to the datacenter environment.
What drives me up the wall are customers that have a history of fuzzing those boundaries, who want more security but are unwilling to make stronger limits like I've outlined above.
"You want to block all unauthorized users but still allow visiting professors to be able to self-provision full access to the corporate network?"
:yeahright:
Then there's the opposite, where somebody wants to be a tech nazi, and insists on obscure pointless things like EAP chaining (well not pointless but overkill for 99% of environments) AND they don't want to hear about all the obscure proprietary things in the chain.
OFC now there's Win10 build 2004 with TEAP support, so good luck with that. God I hate NACs :)
Yeah, already getting questions about TEAP support. Once the feature request goes through, I'll be able to talk about that.
Seriously just use an agent, it's so complex that it's really windows and Mac only anyway so why do you care of it's an agent or standard